Fixes #770 (#774)

* Fixes #770

Signed-off-by: Laird Nelson <laird.nelson@oracle.com>

integrations/cdi/jpa-cdi/src/main/java/io/helidon/integrations/cdi/jpa/JpaExtension.java

@@ -611,6 +611,12 @@ private void processPersistenceXmls(final AfterBeanDiscovery event,
             @SuppressWarnings("deprecation")
             final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
             assert xmlInputFactory != null;
+
+            // See
+            // https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
+            xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+            xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+
             final Unmarshaller unmarshaller =
                 JAXBContext.newInstance(Persistence.class.getPackage().getName()).createUnmarshaller();
             assert unmarshaller != null;

microprofile/server/src/main/java/io/helidon/microprofile/server/Main.java

@@ -92,9 +92,12 @@ private static String findAndConfigureLogging() throws IOException {
             source = "file: " + path.toAbsolutePath();
         } else {
             // second look for classpath (only the first one)
-            logConfigStream = new BufferedInputStream(Main.class.getResourceAsStream("/" + LOGGING_FILE));
-            if (null != logConfigStream) {
+            InputStream resourceStream = Main.class.getResourceAsStream("/" + LOGGING_FILE);
+            if (null != resourceStream) {
+                logConfigStream = new BufferedInputStream(resourceStream);
                 source = "classpath: /" + LOGGING_FILE;
+            } else {
+              logConfigStream = null;
             }
         }
         if (null != logConfigStream) {